topic Re: Restricting site to site vpn access between networks in Cloud Networking Platform

Restricting site to site vpn access between networks

acadiana — Fri, 04 Nov 2022 14:17:16 GMT

I have about 15 networks that are under one dashboard. I have site to site vpn enabled for 2 networks that works just fine. Today I need to connect 2 other networks that do not need to communicate with the first 2. How do I do that? It seems they can all communicate right now.

Re: Restricting site to site vpn access between networks

ww^ — Fri, 04 Nov 2022 14:36:20 GMT

You need to use the vpn firewall to create fw rules.

https://documentation.meraki.com/MX/Site-to-site_VPN/Site-to-site_VPN_Firewall_Rule_Behavior

Another option would be to use a group policy that is using stateless fw rules. And apply that to the vlans that are part of the vpn.https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Creating_and_Applying_Group_Policies#By_VLAN

Re: Restricting site to site vpn access between networks

aleabrahao — Fri, 04 Nov 2022 14:42:23 GMT

Hi,

You can create an L3 rule on the site-to-site VPN page.

Re: Restricting site to site vpn access between networks

acadiana — Fri, 04 Nov 2022 14:47:37 GMT

It shows that its for non meraki peers, but these are all meraki peers. Still use that rule section?

Re: Restricting site to site vpn access between networks

aleabrahao — Fri, 04 Nov 2022 14:49:14 GMT

I use It for SD-WAN and It works well.

Re: Restricting site to site vpn access between networks

ww^ — Fri, 04 Nov 2022 14:49:23 GMT

"These firewall rules will apply to all MX networks in the organization that participate in site-to-site VPN (both AutoVPN and Non-Meraki)."

Re: Restricting site to site vpn access between networks

aleabrahao — Fri, 04 Nov 2022 14:51:26 GMT

Overview

Administrators have the ability to add firewall rules to restrict the traffic flow through the VPN tunnel for a Cisco Meraki MX Security Appliance. Similar to other Meraki firewall options, this firewall is stateful and will only block traffic if it does not match an existing flow.

These firewall rules will apply to all MX networks in the organization that participate in site-to-site VPN (both AutoVPN and Non-Meraki).

Creating Firewall Rules

To create a firewall rule, follow the steps below.

Navigate to Security & SD-WAN > Configure > Site-to-site VPN.
Select Add a rule in the Site-to-site outbound firewall under the Organization-wide settings section of the page.
Fill in the desired parameters for the rule
Select Save changes.

Considerations for VPN Firewall Rules

When configuring VPN Firewall rules, it is important to remember that traffic should be stopped as close to the originating client device as possible. This cuts down on traffic over the VPN tunnel and will result in the best network performance. Because of this, site-to-site firewall rules are applied only to outgoing traffic. As such, the MX cannot block VPN traffic initiated by non-Meraki peers.

https://documentation.meraki.com/MX/Site-to-site_VPN/Site-to-site_VPN_Firewall_Rule_Behavior

Re: Restricting site to site vpn access between networks

acadiana — Fri, 04 Nov 2022 15:32:02 GMT

What should the rule look like. Source and Destination?

Re: Restricting site to site vpn access between networks

ww^ — Fri, 04 Nov 2022 16:07:34 GMT

Depends on your needs.. but For example:

Allow >

source: location1 and location2 subnet destination: location1 and location2 subnet

Allow >

source: location3 and location4 subnet destination: location3 and location4 subnet

Deny > any any

Re: Restricting site to site vpn access between networks

aleabrahao — Fri, 04 Nov 2022 17:14:34 GMT